I'm working on an ASP.NET MVC Web App with Office 365 authentication. The web app runs perfectly on my computer, but when I transfer and run the project on other computers and on Azure, it gave me a Cryptographic Operation Error. After some research, I concluded that the Machine Keys are the ones causing the problem.
I have found the MachineKey for the Azure Web App Service, but when I put it in my local Web.Config, it still looks for my computer's original Machine Key. The same happens when I set it to auto-generate, both my computer and Azure throw the same error.
I need a way to reset the Machine Key my application is looking for. For example, if I set the Machine Key in Web.config to "KEY_EXAMPLE_HERE", my application will start to use that key. That way, I can set up the same Machine Key in all servers I need to run my application.
I don't know if the application looks for the key it generated when I created the Visual Studio project, but I need a way to change it.
Any help will be appreciated, thanks!
I am working on an ASP.NET MVC application on my local machine using the Visual Studio 2012 built in IISExpress. After a significant progress I decided to make it available across the Local network, I created a virtual directory from visual studio. I can log in but when I try to register a new user. I get the error below.
The anti-forgery token could not be decrypted. If this application is
hosted by
a Web Farm or cluster, ensure that all machines are running the same version of
ASP.NET Web Pages and that the configuration specifies explicit
encryption and validation keys. AutoGenerate cannot be used in a cluster.
I generated a new machine key from (ASPNET resources) and placed it in my configuration file but is not still working.Can someone suggest a solution?
One thing I noticed is that this error could be caused by having multiple #Html.AntiForgeryToken() pieces of code on the page. I had 2 on my page and once I removed the second one, this error went away.
You should be adding a machine key that is unique to the website/machine combination. It is this machine key that the token generator uses. This means that you should generate a machine key (which you can do here (dead link-beware) and add it to your Web.config file on your machine. You can find more information here:
http://msdn.microsoft.com/en-us/library/ff649308.aspx
You can also do this directly from within IIS: http://blogs.msdn.com/b/amb/archive/2012/07/31/easiest-way-to-generate-machinekey.aspx
There I was able to find the answer http://iamdotnetcrazy.blogspot.ru/2013/08/how-to-solve-anti-forgery-token-could.html
In my case this was an issue with the load balancer not having session persistance turned on for the site.
I was having a page which was using the partial view. Both contained #Html.AntiForgeryToken() and on removing the #Html.AntiForgeryToken() from the partial page, it worked.
I working on a MVC 4 site which has uses Authentication. The site requires that I specify the Machine Key values. I did this via the IIS interface having deselected the "automatically generate at runtime", generated the key values and having selected "generate a unique key for each application"
The web.config entry looks something like this:
<machineKey decryption="DES" decryptionKey="{hex-key value},IsolateApps"
validationKey="{hex-key value},IsolateApps" />;
While this seems to work fine on another web project it causes the "Decryption key specified has invalid hex characters" error on the dev machine I am working on now (both in IIS-Express and IIS 7.5).
Removing ",IsolateApps" from the key values solves the issue but since I need this option on in production I dont want to be removing it now only to have this issue when deploying.
What gives? The dev box is a SQL 2008 R2 box with .net 2.0 and .net 4.0.
The IsolateApps modifier causes ASP.NET to generate a unique key for each application on your server. This is only applicable if you are getting ASP.NET to auto-generate keys at runtime.
If you are not getting ASP.NET to auto-generate keys, and are instead specifying the keys using decryptionKey="{hex-key value}", then the way to get ASP.NET to use a different key for each application is to simply specify a different key in each application's Web.config.
The IIS config GUI allows you to create a Web.config with an explicit key together with the IsolateApps modifier, which is invalid, and in my opinion is a bug in the config GUI.
You can fix the issue by adding the following to the machineKey element (compatibilityMode="Framework20SP1") in the web.config See Link
This can be fixed by adding the machineKey line into your web.config, and specifying your keys as shown below (use your own key though of course, this one is easily guessable):
<configuration>
<system.web>
<machineKey decryptionKey="0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0" validationKey="0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF00123456789ABCDEF0123456789ABCDEF0123456789ABCDEF00123456789ABCDEF0123456789ABCD" />
</system.web>
</configuration>
So I've created a new ASP.NET MVC project using the intranet template. web.config contains the appropriate values (e.g. <authentication mode="windows"/>).
If I fire up the web app using the VS webserver, it all looks fine - the page shows my Windows domain and username and all. However, this works in Opera and Safari as well as IE and FF, which says to me it's not using Windows auth at all (since to the best of my knowledge this doesn't work in any browser except IE/FF).
Next step is to get it working through local IIS. I create a hosts file entry pointing www.mysite.mydomain to 127.0.0.1. So in IIS I create website with a binding to www.mysite.mydomain and enable Windows authentication and disable anonymous authentication.
I have set up IE and FF to enable Windows auth as follows:
IE
Add URL to intranet group
Ensure Windows auth is enabled in the advanced settings
FF
Put 'www.mysite.mydomain' into network.automatic-ntlm-auth.trusted-uris config setting.
But when I dial up www.mysite.mydomain in IE / FF I get a login prompt. Interestingly, even when I type in my Windows login here, it still fails and shows me the login prompt again.
We don't have active directory here but my understanding is that it should work fine with a local account.
I can't think of anything else I need to do. Any suggestions?
Edit: we've recently switched to using Active Directory and the problem remains.
Edit: when I cancel the login prompt, I get taken to an 'IIS 7.5 Detailed Error' page with the following information:
HTTP Error 401.2 - Unauthorized
You are not authorized to view this page due to invalid authentication headers.**
You have to whitelist a domain specified in the hosts file in order for windows authentication to work:
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Right-click Parameters, click New, and then click DWORD (32-bit) Value.
Type DisableStrictNameChecking and press ENTER.
Double-click the DisableStrictNameChecking registry value and type 1 in the Value data box, click OK
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
Type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
Quit Registry Editor, and then restart the IISAdmin service.
NOTE:
The original Microsoft KB links on this answer were broken and have been removed.
This article provided the instructions for setting DisableStrictNameChecking.
I recently spent three days trying to solve the same problem and it drove me crazy. It was happening on a load-balanced setup where one of the servers was authenticating correctly while the other failed. Investigating the problem - and eventually solving it - it turned out to be unrelated to the load-balanced environment, it could happen with any server when authenticating using Windows Authentication and the server is called with a name other than the one recognized by Active Directory
1. Enable Kerberos logging
To correctly diagnose your issue, you will need to enable Kerberos logging on the machine hosting your IIS site. To do so, add the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Add Registry Value LogLevel with ValueType REG_DWORD and value
0x1.
Once you turn on logging, then you try to authenticate, you will get errors logged in your Windows Application Log. You can ignore the error KDC_ERR_PREAUTH_REQUIRED (this is just part of the handshake) but if you get the error KDC_ERR_C_PRINCIPAL_UNKNOWN that means your AD controller doesn't recognize your server therefore you need to follow the steps below.
2. KDC_ERR_C_PRINCIPAL_UNKNOWN
if you're getting KDC_ERR_C_PRINCIPAL_UNKNOWN, that means the name "mysite.mydomain.com" is different from how the AD recognizes your machine so it's unable to provide a valid kerberos ticket. In that case, you need to register a Service Principal Name (SPN) for " 'www.mysite.mydomain" on the AD.
On your AD controller, run this command - you will need Domain Admin privilege:
Setspn -A HTTP/mysite.mydomain YOUR_MACHINE_HOSTNAME
3. Use a custom identity for your Application pool
Finally, make you Application pool use a custom account that belongs to the Active Directory instead of using NetworkService. This can be done in advanced settings of your application pool.
and .. voila.
Notes: The problem could (unlikely) be related to having multiple SPNs registered to the same machine, in that case you will need to run a command to remove duplicate SPNs, but I doubt this is the case. Also try adding a different binding to your site (that doesn't use a custom name) something like htttp://localhost:custom_port_number and see if authentication works. If it works, this is an extra indication that you're suffering from the same problem I had.
Did you try putting the domain in front of the user name?
DOMAIN\username
If you don't have a domain account, try prefixing your username with the machine name:
MYCOMPUTER\myusername
You should check to see if you have Windows Authentication installed/enabled. That may sound weird but in IIS 7 you have to install and enable the various authentication methods. Check out http://support.microsoft.com/kb/942043/ for more info, see quoted section below.
Cause 1
The Web application is configured to use Integrated Windows
authentication. However, the Windows Authentication feature is not
turned on. Or, the Integrated Windows authentication native module
section of the ApplicationHost.config file or of the Web.config file
is not valid. To resolve this problem, see Resolution 1.
Original
Usually when you try to view an asp.net web page hosted on IIS and receive a login prompt it doesn't mean your credentials weren't received or that you aren't authenticated. What it means is that the account that your website is running under doesn't have the right permissions to work with the files.
In IIS 6 and 7 you can easily change the user account that your app pool runs under. Try changing the app pool identity to an account with more access specifically designed for this. Or if you want to stick with the existing account (IUSR_? Network Service?) you can grant that account more permissions on the directory where your website is stored.
This article is specifically targeted at BizTalk but has almost no references to it and focuses on troubleshooting permissions issues with IIS and app pools: http://msdn.microsoft.com/en-us/library/aa954062.aspx
Why local IIS? Can you use local IIS Express?
If so, try this. It seems that IIS Express by default has Windows Authentication set to false.
Change
<windowsAuthentication enabled="false">
to "true" in applicationhost.config file (under 'C:\Users[Profile]\Documents\IISExpress\config' folder). This works for me.
To ensure that IIS uses Windows Authentication, I think you should try to turn of other authtentication methods. If Anonymous Authentication is enabled, Windows authentication will not work. You can also read this Microsoft Support Article which describes IE and IIS requirements in details.
I got this error when I enabled Windows authentication. I wanted to authorize the user based on Windows login and there is no login page in my application.
I got the error fixed by adding the below in my Web config file.
Under the tag system.web, I changed authentication mode="None" to
authentication mode="Forms".
Under the tag appSettings, I added add key="owin:AutomaticAppStartup" value="false"
After reading the answer of Espen Burud, I solved my problem by changing in the root's web.config:
<allow users="*" />
to
<deny users="?" />
The page that needs Windows Authentication is not in the root, but in a sub directory with its own web.config with deny users ? but that did not make Windows Authentication working. Apparently, you need to deny users in the root for that to work.
The IIS config has Anonymous Authentication enabled; that did not matter. After the above change of web.config, Windows Authentication worked.
For Dot Net Core 2.2 and running on IIS, I was having issues with 401.2 Unauthorized when I would check the Enable Windows Authentication within my application. It was a exceedingly simple test website that did basically nothing, just to try and get windows authentication to work. I finally got the auth to work, and here's what you'll need:
Within Startup ConfigureServices:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
Open the application's Properties, click Debug option on the left and make sure you check Enable Windows Authentication.
But here's the kicker that I had forgotten... Configure your system to have Windows Authentication installed on IIS. This was never setup on my machine, and regardless what I did, I would always get a 401 unauthorized error. After installing this (Win 10, IIS v10.0.18362.1) I now get a login prompt. This isn't exactly what I need at this point, but at least it's not the unauthorized error. Good luck and hopefully this helps.
After publishing a new build of my ASP.NET MVC web application, I often see this exception thrown when browsing to the site:
System.Web.Mvc.HttpAntiForgeryException: A required anti-forgery token was not supplied or was invalid. ---> System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. ---> System.Web.UI.ViewStateException: Invalid viewstate.
This exception will continue to occur on each page I visit in my web application until I close out of Firefox. After reopening Firefox, the site works perfectly. Any idea what's going on?
Additional notes:
I am not using any ASP.NET web controls (there are no instances of runat="server" in my application)
If I take out the <%= Html.AntiForgeryToken %> from my pages, this problem seems to go away
Under the covers, the MVC AntiForgeryToken attribute uses the machinekey for encryption. If you don't specify a machinekey in the web.config (see here), one is automatically generated for you by ASP.NET (full description).
If the ASP.NET application is restarted (e.g. do an iisreset), the AntiForgeryToken within the browser cookie will still be encrypted with an old machine key, hence why it crashes with the above error.
So you should always specify a machinekey in your web.config when using MVC, e.g.
<configuration>
<system.web>
<machineKey
validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"
decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
validation="SHA1"
decryption="AES"
/>
...
If you're on a server farm, make sure your machine key on every server is the same.
I too had this problem, and expecting the users to clear their cache, cookies or refreshing the page isn't acceptable.
Adding a machinekey to web.config is will fix this. I used this tool to quickly generate a key so I don't see these errors in development and then I generate one properly when the site goes into production.
http://aspnetresources.com/tools/machineKey